Sign in Request Demo
PlatformDocuments How It WorksVerticals Request a Demo
Legal

UK GDPR

Torvo's posture under the UK GDPR and the Data Protection Act 2018.

Last updated: 30 April 2026

1. Roles

For the marketing site, Torvo Ltd is the data controller.

For data captured inside a Torvo platform vertical, Torvo Ltd acts as a data processor on behalf of the customer organisation, which is the controller of its own operational data. A written data-processing agreement (DPA) governs every customer relationship.

2. ICO registration

Torvo Ltd is registered with the UK Information Commissioner's Office under registration number 00013608468.

3. Data Protection Officer

Torvo does not currently meet the statutory threshold requiring a designated DPO. Privacy and data-protection enquiries are handled by the founder directly, with external professional support retained for regulated-sector DPIA work where required.

Privacy contact: [email protected].

4. Lawful bases

  • Demo requests - consent for contact about the requested demo, alongside Torvo's legitimate interest in responding to business enquiries.
  • Customer onboarding - contract performance.
  • Operational data inside a vertical - controlled by the customer organisation under their lawful basis.
  • Server logs - legitimate interest (security, abuse prevention).

5. Data subject rights

You may exercise any UK GDPR right by emailing [email protected]. We respond within one calendar month. For requests concerning operational data inside a vertical, we route the request to the controller (your organisation) and assist them in responding within statutory timescales.

6. International transfers

Torvo's core platform infrastructure runs on EU-hosted services (Hetzner, Germany). Where a sub-processor is based outside the UK/EU (e.g. Anthropic for LLM inference), the transfer is covered by Standard Contractual Clauses and an additional safeguards assessment under the UK International Data Transfer Agreement.

7. Security measures

  • SSH key-only server access; password authentication disabled.
  • fail2ban on every public service; UFW firewall hardened to known traffic only.
  • Unattended security upgrades enabled.
  • TLS in transit; encryption at rest for customer data where supported by the deployment.
  • Per-organisation tenant isolation enforced at every database query (org_id rule).
  • Append-only audit log on every personal-data mutation.
  • External security review planned as part of regulated deployments.

8. Data retention

Marketing-side retention is documented in the Privacy Policy. Operational retention inside a vertical is set by the customer organisation under its written DPA and can be configured per deployment.

9. Data Protection Impact Assessments

Regulated-sector deployments should complete a written DPIA and DPA before operational pilot use. DPIA artefacts are shared with the controller as part of onboarding. Independent review is engaged for care, SEND, and policing verticals where required.

10. Breach notification

If a personal-data breach affects a customer organisation, we notify the controller without undue delay and within 72 hours of becoming aware of the breach, providing the information required under Article 33 UK GDPR. We support the controller's notification to the ICO and to affected data subjects where required.

11. Complaints

If you're not satisfied with our response to a privacy enquiry, you have the right to complain to the Information Commissioner's Office at ico.org.uk or by post to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Questions? Email [email protected].